Skip to main content

Three buffer overflow vulnerabilities could lead to code execution and three others concern path traversal, authentication bypass, and insecure randomness

Threat ID:CC-4585
Threat Severity:Medium
Published:5 December 2024 3:41 PM

Summary

Three buffer overflow vulnerabilities could lead to code execution and three others concern path traversal, authentication bypass, and insecure randomness

Affected platforms

The following platforms are known to be affected:

Versions: 10.2.1.13-72sv and earlier
Sonicwall Secure Mobile Access (SMA) 100 Series Appliances
  • SMA 200
  • SMA 210
  • SMA 400
  • SMA 410
  • SMA 500v
Note: SonicWall SSL-VPN SMA1000 series products are not affected by these vulnerabilities

Threat details

SSL-VPN and firewall appliances are popular targets for attackers

SSL-VPN and firewall appliances are internet-facing by design and are frequently targeted by attackers. Vulnerabilities in SSL-VPN and firewall appliances are often exploited soon after official disclosure so organisations are urged to apply security updates as soon as practicable.


Introduction

SonicWall has released a security advisory to address six vulnerabilities in SMA100 SSL-VPN appliances. SonicWall Secure Mobile Access (SMA) is a unified secure access gateway that provides a Secure Sockets Layer (SSL) virtual private network (VPN), context aware device authorisation, application level VPN, and advanced authentication with federated single sign-on (SSO) for cloud and on-premises resources.



Vulnerability details

CVE-2024-38475 - attributed to publicly known Apache HTTP Server vulnerability

  • CWE-35: Path traversal vulnerability with a CVSSv3 Score of 7.5 
  • An attacker exploiting this vulnerability may be able to map URLs to file system locations that are permitted to be served by the server.

CVE-2024-40763 - affecting SonicWALL SMA100 SSLVPN

  • CWE-122: Heap-based buffer overflow vulnerability with a CVSSv3 score of 7.5
  • A remote, authenticated attacker could exploit this heap-based buffer overflow vulnerability, potentially leading to remote code execution (RCE).

CVE-2024-45318 - affecting SonicWall SMA100 SSLVPN web management interface

  • CWE-121: Stack-based buffer overflow vulnerability with a CVSSv3 score of 8.1
  • An attacker could exploit this stack-based buffer overflow vulnerability, potentially leading to RCE.

CVE-2024-45319 - affecting SonicWall SMA100 SSLVPN

  • CWE-798: Certificate-based authentication bypass vulnerability with a CVSSv3 score of 6.3
  • A remote, authenticated attacker can circumvent the certificate requirement during authentication.

CVE-2024-53702 - affecting SonicWall SMA100 SSLVPN backup code generator

  • CWE-338: Insecure randomness vulnerability with a CVSSv3 score of 5.3
  • An attacker could exploit this vulnerability by abusing the cryptographically weak pseudo-random number generator (PRNG) in the SonicWall SMA100 SSLVPN backup code generator, which could result in exposing the generated secret.

CVE-2024-53703 - affecting SonicWall SMA100 SSLVPN mod_httprp library loaded by the Apache web server

  • CWE-121: Stack-based buffer overflow vulnerability with a CVSSv3 score of 8.1
  • An attacker could exploit this stack-based buffer overflow vulnerability, potentially leading to RCE.

Remediation advice

Affected organisations are encouraged to review SonicWall advisory SNWLID-2024-0018 and apply the relevant updates.

Definitive source of threat updates

CVE Vulnerabilities

StatusPublished
CVE-2024-38475Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected. Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained.
StatusPublished
CVE-2024-40763Heap-based buffer overflow vulnerability in the SonicWall SMA100 SSLVPN due to the use of strcpy. This allows remote authenticated attackers to cause Heap-based buffer overflow and potentially lead to code execution.
StatusPublished
CVE-2024-45318A vulnerability in the SonicWall SMA100 SSLVPN web management interface allows remote attackers to cause Stack-based buffer overflow and potentially lead to code execution.
StatusPublished
CVE-2024-45319A vulnerability in the SonicWall SMA100 SSLVPN firmware 10.2.1.13-72sv and earlier versions allows a remote authenticated attacker can circumvent the certificate requirement during authentication.
StatusPublished
CVE-2024-53702Use of cryptographically weak pseudo-random number generator (PRNG) vulnerability in the SonicWall SMA100 SSLVPN backup code generator that, in certain cases, can be predicted by an attacker, potentially exposing the generated secret.
StatusPublished
CVE-2024-53703A vulnerability in the SonicWall SMA100 SSLVPN firmware 10.2.1.13-72sv and earlier versions mod_httprp library loaded by the Apache web server allows remote attackers to cause Stack-based buffer overflow and potentially lead to code execution.

Last edited: 5 December 2024 3:41 pm

Back to top